Exchange 5.0 POP3 Passwords

Reported August 27, 1997 by Rajiv Pant

Systems Affected

Windows NT 4.0 Server running Exchange 5.0 with POP service

The Problem

Exchange 5.0 Server"s POP3 service does not properly expire cached passwords. Therefore, old passwords continue to be valid along with newly set passwords until the cache expires. The same problem can be found in Microsoft"s FTP, HTTP, and Gopher services, as pointed out by David LeBlanc. According to Rajiv Pant, this problem does not affect the new web page interface to get your mail which uses a different authentication. Nor does it affect NT logons.

Stopping the Problem:

Correcting the problem entails adjusting the cache timeout in the Registry.

From the MS KB Article Q166620:

The credentials cache is controlled by the following registry values:

HKLM\System\CurrentControlSet\Services
\MsExchangeIs\ParametersNetIf
\Credentials
Cache Age Limit         (Default  = 120 minutes)

HKLM\System\CurrentControlSet\Services
\MsExchangeIs\ParametersNetIf
\Credentials
Cache Idle Limit                (Default = 15 minutes)

HKLM\System\CurrentControlSet\Services
\MsExchangeIs\ParametersNetIf
\Credentials
Cache Size              (Default = 256 buckets)
Note: to turn off caching, you should set the size = 0

The Age limit specifies the maximum length of time (in minutes) for entries to live in the cache, the Idle limit specifies the amount of idle time after which a credential cache element will be considered too old (and thus discarded).

Microsoft"s Response:

They have been notified, but their response it unknown as of September 1. Perhaps this functionality is by design.

To learn more about new NT security concerns, subscribe to NTSD.

Credit:
Reported by Rajiv Pant
Posted here at NTSecurity.Net August 31, 1997 11am